Cybercrime
,
Fraud Management & Cybercrime
Police Seize Evil Corp-Tied Group’s Servers, Clean Subverted WordPress Sites
A criminal hacking operation that sold access to hacked computers to other cybercriminals had more than a hundred servers seized by police, who also cleaned tens of thousands of websites carrying the group’s malicious ClickFix social engineering trap.
See Also: Why Cyberattackers Love ‘Living Off the Land’
Dutch police said Thursday it disrupted a key infection chain used by the notorious Russian-speaking cybercrime syndicate Evil Corp.
“With these actions we deprive cybercriminals of access to infected computer systems, said Maikel Rollman of the Dutch National High Tech Crime Unit, which led the disruption together with the FBI, Royal Canadian Mounted Police and Germany’s Federal Criminal Police Office, backed by support from Europol and Eurojust, plus a number of private sector partners.
“This marks the beginning of further action against SocGholish,” Rollman said, referring to the malware family disrupted by police. Also known as “FakeUpdates,” the malware masquerades as a legitimate software update.
Evil Corp, also tracked as Mustard Tempest, UNC1543 and TA569, has been “a cornerstone of the cybercrime-as-a-service economy” since it debuted in 2017, said Orange Cyberdefense. British law enforcement has connected Evil Corp to Russian intelligence, finding that the Kremlin has tasked the threat actor with conducting cyberattacks and cyberespionage operations.
Police said direct notifications to owners of WordPress sites that unwittingly carried SocGholish have been carried out by HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and the Dutch National Cyber Security Center. The notifications alert users that malware and backdoors have been removed from their WordPress sites and urge them to change their passwords, enable multifactor authentication, delete any unexpected WordPress accounts and ensure they always keep their WordPress sites and plug-ins updated.
The free HaveIBeenPwned breach-notification service said it received from authorities a list of 154,000 email addresses targeted in SocGholish attacks, “and more than half a million previously unseen passwords” that the group obtained.
Based on data collected by Dutch police, SocGholish was present on 14,971 websites and cybercriminals nabbed the login credentials of 1.4 million websites.
The disruption of SocGholish is the latest in the international law enforcement and judicial effort dubbed Operation Endgame, launched in 2024 and designed to disrupt criminal services and providers, and identify and arrest perpetrators. Previous targeting has disrupted initial access botnets, illicit bulletproof hosting and VPN service providers, information-stealing malware services, and led to multiple arrests.
“First and foremost, it’s important to clarify that SocGholish is not typically the final step in an attack. It is a JavaScript-based downloader, and its primary operator – a Russian-speaking, financially motivated threat actor – functions as an initial access broker,” it said. Initial access broker customers include ransomware groups and banking Trojan outfits, as well as nation-state groups such as the Russian government.
To spread its downloader, Evil Corp regularly targets widely used content management systems such as WordPress, which says its software is on 43% of the world’s internet sites, as well as Joomla, Drupal and WordPress.
SocGholish regularly exploits known vulnerabilities or uses stolen credentials to gain access to the sites and inject them with malicious JavaScript designed to execute only when certain types of users visit, researchers said. When it does, targets typically see a ClickFix-style attack, oftentimes warning them to update their browser by clicking on a “download” link (see: ClickFix Attacks Increasingly Lead to Infostealer Infections).
In many cases, this results in the download of a zip file containing malicious JavaScript, which, if executed, installs a downloader on the system and connects it to a command-and-control server. Malware subsequently pushed onto these systems through the downloader on behalf of SocGholish customers has included infostealers, LockBit and Wastedlocker ransomware, RansomHub precursor malware, the remote access Trojans AsyncRAT and NetSupport RAT, as well as the PowerShell backdoor GhostWeaver.
Researchers said victims of the group hail from every sector, ranging from law firms and schools to healthcare providers and hospitals.
“SocGholish is not a niche threat. Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks,” said Renée Burton, vice president of threat intelligence for Infoblox, which assisted with the disruption.
Highlighting the reach of the group’s malicious activity, Infloblox said over half of its cloud customers encountered a SocGholish-controlled website this year, including critical infrastructure organizations.
Evil Corp continues to be tied to a range of illicit online activity, including Zeus and Dridex malware, as well as major ransomware and money-laundering operations, police said. As with other Russia-based cybercrime-as-a-service providers, members of the group operate beyond the reach of Western law enforcement, meaning that although their infrastructure might get disrupted, they can simply set up shop again (see: Evil Corp Protected by Ex-Senior FSB Official, Police Say).
“We fully expect TA569 and its customers to regroup, retool and attempt to rebuild their infrastructure,” Orange Cyberdefense said.
Click Here For The Original Source.
